Not all that glitters is GDPR
Microsoft's German Azure Cloud does not fully comply with data protection regulations - even though it is operated by the German T-Systems. This is the conclusion of the Magazine for Professional Information Technology iX.
Due to the fiduciary operation by the German T-Systems, the German Azure Cloud is expected to be GDPR-compliant. This is what was promised by Microsoft. The magazine iX has taken it upon itself to verify this. Wireshark was used to inspect the network traffic of a Windows instance and strace, tcpdump and ngrep to check the network traffic of a Linux instance. It turned out that data was sent to a public IP address without authorization.
Sending data to an unauthorized IP address without the customer's knowledge is at the very least uncomely. This would not, in and of itself, necessarily be a GDPR problem as long as it does not involve customer data and the IP address is terminated within Germany. However, since neither is clearly declared by Microsoft or T-Systems, it does become a problem. According to the GDPR, the contracting party must be able to prove in the event of a dispute that the customer data was processed in compliance with the GDPR. But when data is being transmitted about which he is not informed and the network traffic is being sent to an unspecified IP address, this is not possible.
Maybe there is a system to it, maybe it's just teething troubles. But the Azure Cloud – although operated in Germany in trust by T-Systems – is apparently not data protection compliant. Other clouds have not been tested, but the results are likely to be similar.
Source:
iX 9/2018: Datenschutz: Wie DSGVO-konform ist die Azure-Cloud von T-Systems?
Update:
Microsoft is discontinuing its proprietary cloud offerings with data trusteeship through Deutsche Telekom. (Heise Online: 31.08.2018)